Login: Support | Partner    
Home » Technology » Greenbone OS: Current 

Greenbone OS: Current

Releases under development are listed here: Roadmap.

Releases beyond status End-of-Life are listed here: Old Releases.

Please read in our Learning Center about how to execute a upgrade and what to consider for this.

2015-01-26: Greenbone OS 3.1


Latest patch level: 3.1.22 (2015-10-30)

The items marked with (*) will change the default behaviour.

  • New: Dynamic charts "bar-chart", "donut" "lines" and "bubbles" for SecInfo Management of the web interface. For each object types, two chart types can be selected. Each chart can be detached into a window of its own, the underlying data can be exported in CSV format or opened as HTML table, the SVG representation can be opened in the browser or be exported.

  • New: Dashboard overview for SecInfo Management of the web interface. It consists of 4 charts which can each be individually selected by type and combined with a powerfilter. The configuration is persistent for each user.

  • New: Dynamic diagrams for tasks analog to SecInfo Management.

  • New section "Results" under menu "Scan Management". This section offers a object management for all of the scan results in the database a user has permission for. In other words, searching and filtering for results is now possible independent of a scan report.

  • New: SecInfo object type "CERT-Bund" which are the advisories published by the German federal CERT.

  • New: Attribute "Solution Type" for NVTs and results.

  • New: Bulk actions for example to remove or download many objects within a single action.

  • New: Configuration type "Scanner" allows to configure additional scanners of type OpenVAS (the default and pre-configured one) or OSP-based scanners. OSP stands for OpenVAS Scanner Protocol which can be used to wrap up arbitrary scanners with a generic interface to be handled generically for the vulnerability management.

    The task management is extended with scanner-type dependent alternatives.

    These features prepare the integration of OSP scanners. Any default settings and behaviour remains like in the previous Greenbone OS release. OSP is entirely optional.

  • New: Option for anonymous guest access. Apart from the new role "Guest" which is similar to role "Info" allowing access only to the SecInfo section, there is now the opportunity in gos-admin-menu to enable access for guests. This makes it also possible to use static URLs to link into certain views in the SecInfo section.

  • New: Role "Monitor" that allows access to the performance data of the GSM.

  • New: Role "Super Admin" that allows access to all objects of all users.

  • New: Permissions "Super" that for example allows to create Group Administrators.

  • New: The filenames for Downloads can now be configured via "My Settings".

  • New: Wizard for modifying a task.

  • GXR/GSR: These report format plugins were re-worked. Especially GSR was changed to have less pages for the same content and to get created faster.

  • Tasks: The dialog for setting permissions is re-worked.

  • Timezones: The configuration of timezones was changed so that now there is offered a drop down list of available timezones instead of a entry field for specifying the timezone in text form.

  • (*) Users are now allowed to have multiple simultaneous sessions, as long as the sessions are on different browsers. Up to GOS 3.0, a second session always invalidated the previous one regardless of which browser is used.

  • For any web interface page, the duration of the backend operation will be shown at the bottom.

  • (*) Credentials: The public key of SSH credentials is not required anymore because it is extracted from the private key.

  • Credentials/Targets: Credentials for ESXi target systems can now be configured directly with the Target object instead of in the Scan Configuration object.

  • New: Statistics module at OMP level represented by the command "GET_AGGREGATES" which is also the foundation for charts.

  • (*) When a task is requested to stop, the scanner will now be advised to switch immediately into the final phase of scanning. With GOS 3.0 the scanner immediately stopped activity and did not return so far collected host details. With GOS 3.1 this is now transferred to the database.

  • New internal inter-process communication of scanner.

  • Memory consumption of scanners reduced by 50%.

  • (*) Dropped support for pausing of tasks (OMP).

  • (*) Dropped support of outdated "openvasrc" Format (OMP).


Patch-Level GOS 3.1:

  • 3.1.22 (2015-10-30):

    • GOS-Admin:

      • Improved robustness of the central data manager against special load and stress situations (#53834, #53825, #53832, #53646, #2015100710000047).

  • 3.1.21 (2015-10-20):

    • Web-Interface and OMP:

      • Minor Bugfix: Subject for email alerts are now prefixed with "GSM" (#53282).

    • GOS-Admin:

      • At high load it could happen that more than one feed update is executed in parallel. This could lead to a blocking situation (#53356, #53360, #2015100710000047).

      • The upgrade starting from a factory reset could lead to error messages in the log during a feed update due to inconsistent data migration (#53358, #2015100610000031).

  • 3.1.20 (2015-10-07):

    • GOS-Admin:

      • Bugfix: An issue which could cause the upgrade process to abort under certain circumstances has been addressed (#53089, #2015100210000065).

      • Improved detection and reporting of inconsistent internal state via gos-admin-menu (#53091).

      • Improved visibility of upgrade process in system log files (#44607).

  • 3.1.19 (2015-09-29):

    • Web-Interface and OMP:

      • Accelerated responses for task overview in case of high scan loads (#50860, #2015070610000037).

      • New: Extended configuration of email alerts. The title as well as the message body can now be specified individually. Some variables can be used to reference the task and to use text elements. The pre-configure settings reflect the title and content as was so far. So, there is not necessary to immediately change anything (#50859, #50572, #2015070810000042).

      • GSR Report: Under certain circumstances (triggered by an alert) wrong severity colors and classes could be applied that did not match the actual CVSS (#51820, #50171, #2015081810000058, #2015062310000015).

      • New: XML representation of tasks now includes the tags attached to the task (#52478).

      • Bugfix: Credentials shared via permissions were in some cases not accessible for the scan (#50363, #2015070110000028, #2015070810000051).

      • Bugfix: It could happen that a shared sub-object (for example a port list) was not readable (#51416, #2015080410000039).

      • Bugfix: Access of super admin via LDAP is not denied anymore (#48824, #2015042710000021).

      • Bugfix: When using dynamic severity, it could happen that timeout messages were displayed as a regular result instead of as an error (#50324, #2015070110000019).

      • Minor Bugfix: In scan configurations it could happen that the displayed number of selected NVTs for a family was wrong. The actual selection was handled correctly (#48250).

    • Web-Interface:

      • Bugfix for the export of larger data collections from ca. 100 objects, for example CPE resources (#52174).

      • New: When creating a new target, now the pre-set target is the source IP address of the user's browser system (#47098, 51639, 51925).

      • New: When creating a new task, now it is possible to directly specify a tag for the new task (#35488, #2014022510000066).

      • Bugfix for host restrictions for a user: Ranges that were expressed using the hyphen syntax (from-to) were not accepted (#50915, #2015080710000015).

      • User names may now contain the dot character (".") (#51136).

      • Minor Bugfix: The Chinese translation is now identified as "zh_CN" instead of just "zh" (#51112).

      • Minor change: Die login page now has a CSS of its own (#50915).

      • New: The "Content-Security-Policy" settings are now used to limit the embedded access from within other sites (#51375).

    • GOS-Admin:

      • Accelerated Upgrade: Under certain circumstances a automatic update could take several hours because some internal data optimizations were executed. These are not enforced anymore for each upgrade (#51481, #2015081010000045).

      • Failed logins for the web interface are now logged by default including the source IP address (#51926).

      • Minor Bugfix: Applying changes of TLS Cipher is less delayed now (#43785).

      • Minor Bugfix: Lowered log noise about upgrades (#49956).

    • Scanner:

      • Accelerated scans by about 10%. The actual achievements depend on various circumstances and might be even better (#48799).

      • Improved integration of the web application scanner w3af, now also supporting the seed URL setting (#51266, #51334, #51412, #51283).

      • Improved integration of the IDS PaloAlto (#52600, #52579).

      • Improved error handling of OSP scanners (#51335).

      • Minor Bugfix: When creating a OSP scanner, expired certificates are immediately rejected (#50398).

      • OSP servers now refuse to launch with a certificate that expired anyway (#50397).

      • Bugfix: Dynamic severity will not display OSP scanner results as "0.0" anymore (#50738).

      • New: OSP connector for Fortinet which however is not yet supported for use (#49627, #52104).

      • OpenVAS Scanner: The option "max_sysload" was removed as a scan configuration option, because it is a system wide setting, not a scan-specific one (#51263).

      • Bugfix for OpenVAS Scanner: Improved SSH host key detection (#50588).

  • 3.1.18 (2015-09-24):

    • Hardware:

      • Security update for GSM 600 and GSM 650 that resets unconfigured factory settings of the BMC (Baseboard Management Controller) to save values. A reboot after the upgrade is not necessary. Running scans are not affected. An attacker from the same network segment could read device status, turn off the device or enforce its reboot. (#52838, GBSA-2015-01).

  • 3.1.17 (2015-08-03):

    • Web-Interface and OMP:

      • Improvement of filtering regarding QoD by extending the use of filter element "min_qod". This helps for a consistent view for default settings (#46117).

      • Extended powerfilter for results: All results for a task across all reports can be selected for a certain CVE (for example "task_id=69512154-167c-4e12-9351-a778da2d29e9 and cve~2004-2320") (#48539, #2015041010000025).

      • Bugfix for the powerfilter when searching for parts of an IP address (#49497, #2015052910000015).

      • Resolved inconsistencies (None vs. Log) when handling PCIDSS severity classes and corrected ranges (#49080, #49075).

      • GSR PDF reports: Size limitation extended (#49655, #2015040810000021).

      • GSR/GXR PDF Reports: With more than 100 hosts the topology graph will not be included anymore since details can not be identified anymore anyway. With this, the creation of the larger reports is also accelerated (#49269, #2015051810000018).

      • Bugfix: QoD for "general_note" is now displayed with 1% and not anymore with the default of 75% (#50325).

      • Bugfix: The installation routine for automatically created credentials now also works for Windows 2012 R2 and Windows 10 (#47269, #2015030210000033).

      • Bugfix: Improved error handling for invalid user input for the powerfilter (#49412).

      • Bugfix: Global users were missing in the selection box for permission dialogs (#49381, #50497, #2015070610000046).

      • Minor bugfix: Less process overhead for the creation of report documents (#48977).

    • Web-Interface:

      • Improved support for user interface languages. By restructuring the handling it is now easier to add more languages. In this context, German and Chinese was updated and a partial translation for Russian was added (#44479, #50723).

      • Extended bulk actions: It is now allowed to handle a larger number of objects with a single action, for example to delete a larger number of reports (#50584, #2015070610000028).

      • Details dialog for tasks: Added the information about the total number of single results related to this task across all reports. This includes a direct link into the results table (#49628).

      • Improved: New User dialog now does not allow to enter a password in case LDAP is used because it was and is ignored anyway (#49271).

      • Bugfix for permissions: In some special cases the action icons were greyed out although the actions were allowed (#49583).

      • Bugfix for the Powerfilter: In some cases the combination of keywords did not establish the right selection, for example the combination of the keywords "task_id" and "cve". (#49675).

      • Bugfix for the creation of a schedule: The comments was not stored (#49595).

      • Extended the set of allowed characters for comments by ":" (#49494, #2015052810000026).

    • GOS-Admin:

      • User-data backups can now be created even when the database exceeds the size of 4 GByte (#48109).

      • Extended the set of allowed characters for the SNMPv3 password by "$#?!" (#49312, #2014100110000023).

      • The SNMP setting are now also available via GOS-Admin-Menu for the GSM 25 (#49448, #2015052710000019).

      • Bugfix for the import of reports: The detection details were not imported (#49660, #2015060410000033).

      • Bugfix for the SNMP trap setting (#46321, #50323, #2015013010000029, #2015063010000083).

      • Bugfix to prevent non-functional internal processes. However, there was no impact on performance (#48109).

      • Minor bugfix for the scanner for rare special cases (#49593).

      • The setting "proxy_update" was not used since a very long time and now is finally removed. Instead, the setting "proxy_feed" is used (#49593).

      • Improved internal error messages in case of database problems (#48876).

    • Scanner:

      • Bugfix: Under certain conditions single checks were aborted too early (#48906).

      • Bugfix: For Linux systems with large package databases (ca. more than 8000 packages) it could happen that the list was truncated and thus not all packages were analyzed (#49727).

      • OSP: Extended to handle ports as host details and to handle timestamps (#48800, 49584).

      • New: Beta version of Palo-Alto OSP scanner for selected pilot customers (#48538, #51194, #50912, #50858).

      • New: Beta version of w3af OSP Scanner for selected pilot customers (#50912, #43436, #49673).

  • 3.1.16 (2015-07-03):

    • Web-Interface and OMP:

      • Bugfix: A scheduled start of a task will now only be done for the owner of the task (#50140, #2015020210000026).

      • Bugfix: A scheduled start of a task will now only be done once per given time window (#50314, #2015063010000065).

  • 3.1.15 (2015-06-19):

    • Web-Interface and OMP:

      • Bugfix: When stopping a scan task it could happen that the status of the task hangs at "Stop requested". Only a reboot did set back the status to "Stopped" (#49496, #2015052810000017).

      • Bugfix: A report creation triggered by an alert could block the database for the duration of the report creation (#49975).

  • 3.1.14 (2015-06-16):

    • Web-Interface and OMP:

      • Bugfix: A combination of scans with a configured time window and automatically coupled creation of reports could lead to a blocked database in case the Scan was comprehensive or the time window short (#49861, #2015061110000011).

  • 3.1.13 (2015-05-21):

    • Web-Interface and OMP:

      • Permissions: Extended dialog for setting new permissions. It is now possible to create multiple permissions in one step. For example it is now possible when changing a target object, to apply the same permissions automatically to the related port list and credentials.

        Concurrently a unified permission dialog for all object types is introduced. It is available on the respective details pages. And it offers a direct link into the permission creation dialog and automatically configures all related objects for it.

        In total this increases the comfort for creating, reviewing and modifying permissions.

        (#46998, #2014120410000032, #44025, #48540, #47336, #2015030510000028, #47359).
      • QoD: Some inconsistent default filtering (min_qod) is now unified and the current min_qod selection will be kept when entering into a report (#46989, #47891).

      • Bugfix: The deleting of Report Format Plugins failed under certain conditions (#48961).

      • Bugfix: Accessing the trashcan failed under certain, rare conditions (#49058, #2015050710000021).

      • Bugfix: It was possible that by removing an override the severity did not follow the change (#47789).

      • Passwords for web and OMP users: Now it is also allowed to use whitespace and part of a password (#48712, #2015042210000021).

      • The Report Format Plugin "Verinice-ITG" is now a pre-configured plugin and it is not required anymore to import it explicitly (#41765).

      • Bugfix: The name of a NVT and its last tag are now considered for filtering (#48891, #2015041610000023).

      • Bugfix: The sorting by "Last" report in the task list did not work properly (#48823, #2015042710000011).

      • Bugfix for slave tasks: In case the sensor or slave was not reachable, it was problematic to stop a started scan as long as the start was still was not established (#48877, #2015040110000024).

      • Bugfix for the filtering of scan results when searching for a specific IP address. The filter acted a bit fuzzy under certain condition which was now changed to match strictly (#47710, #48890, #2015040210000041).

      • Bugfix: Filter directives for delta reports were executed properly, but in the new view the filter was lost (#48063).

      • Bugfix: Individual port lists that were used for a scan via a slave or sensor where not automatically deleted after the scan finished (#47889).

      • Bugfix about displaying the trust status of Report Format Plugins (#47721, #2015022310000013).

      • Bugfix for the manual creation of overrides so that now also the port protocol can be specified, for example "80/tcp" (#48715, #2015031810000031).

      • Bugfix: Under certain conditions it could happen that expanding the results view did not show the actual details in case the results are owned by another user (#47411).

    • Web-Interface:

      • Bugfix: Links from the Asset Management into a report did not filter for the exact IP. The IP was used only as a substring (#48981).

      • Bugfix: The version info about GSR and GXR did wrongly not show the actual version 3 (#48115).

      • Bugfix: The counter for notes and overrides in the NVT details dialog showed always 0 (#48247, #2015040810000048).

      • Minor extensions of the online help texts (#47708, #47858).

    • GOS-Admin:

      • Via GOS-Admin it is now possible on a master GSM to advise all connected sensors to create a new self-signed certificate in case their current certificate expired (#48788).

      • OMP via IPv6: In case OMP is enabled, this protocol can now be accessed also via IPv6 (#13592).

      • User-Data backups: In GOS-Admin-Menu there is a new function that shows all local user data backups (#47787).

      • User-Data backups: In GOS-Admin-Menu there is a new function that allows to remove single local user data backups (#44852).

      • Bugfix for GOS-Admin: For several IP address settings like for NTP or for sensors it was not possible to enter IPv6 addresses (#48523).

      • Backup Management: The structure in GOS-Admin-Menu was re-organized with a better separation of backup types and backup settings (#44769).

      • Minor Bugfix for the selfcheck in GOS-Admin-Menu: For GSM models that can not manage sensors, the sensor check is not displayed anymore (#48442).

      • Bugfix for GOS-Admin-Menu to add a scroll bar for the sensor check results (#47055, #2015022010000019).

    • Scanner:

      • Bugfix: By stopping and then resuming a task it could happen that in the overlapping range some results were doubled (#48538, #48974, #2015041710000031).

      • Bugfix: In some cases the hostname for a scanned IP was missing in the results (#44904).

  • 3.1.12 (2015-04-23):

    • Scanner:

      • Bugfix for the scanner which did not reliably executed some tests for some Windows systems. This lead to a lower number of detected vulnerabilities compared to GOS 3.0 (#46115, #48521).

  • 3.1.11 (2015-04-08):

    • Web-Interface and OMP:

      • Bugfix for the NVT details: The CVSS vector was missing in GOS 3.1.10. After the next feed update the vectors will be visible again (#48062).

  • 3.1.10 (2015-04-01):

    • Web-Interface and OMP:

      • Comprehensive update of the Report Format Plugins GXR and GSR. The representation of is more compact now. Especially the GSR will now get created faster and will have less pages. Apart from that, several new functions are support now like solution type and QoD (#46216).

      • The Report Format Plugins GXR and GSR now offer a tabular overview about the success of target host authentications (SMB, SSH and ESXi) (#45700, #2015011510000021).

      • Bugfix for GSR Report Plugin: The text entry about overrides was missing (#47212).

      • New Report Format Plugin "Anonymous XML": Like XML, but IP addresses get pseudonyms and other potential hints about the origin of the scan are removed as well (#38250).

      • Comprehensive update of the permissions management regarding visibility of objects by Users, Groups and Roles. Now, several dependencies will be considered by the permissions management (#47310, #2015030410000011).

      • Bugfix for automatically created Debian credential packages (#46996).

      • Fully automized update of CERT-Bund now activated (#45364, #47176, #2015022610000062).

      • Bugfix for the keyword "owner" when used in the powerfilter (#46915).

      • Bugfix regarding transfer of task properties to scan slaves (#46721).

      • Change for schedules: A scheduled task was not executed in case no scanner resource was available for 3 minutes after schedule start time. This limit was removed now (#46897).

      • Bugfix to prevent piling up of lost scanner processes that slow down a GSM over time (#47854).

      • Bugfix regarding changing the "Host-Alive" method (#47989).

    • Web-Interface:

      • Charts: Tooltips extended with percentages and added tooltips for the legend (#47358).

      • Bugfix: Overrides were applied in the Report-Browser, but False Positives were not displayed (#47096).

      • Improved usability of powerfilters: The text entry now contains only specific elements. All others are displayed below, but could be set anytime as well (#45912).

      • Minor bugfix for Task Details Dialog: The Slave name is not displayed anymore if no slave is used anyway (#46819).

      • Minor bugfix to correctly handle some very specific HTTP request to the web interface (content-length headers) (#15343).

      • Improved online help for Scanner Details (#47282).

      • Added download option for certificates of OSP scanners (#47281, #47283).

      • SecInfo for NVTs was internally changed to now use the OMP command GET_INFO (#39910).

      • Minor bugfix: Graphical bug in Charts regarding too many percentage characters (#47357).

      • Minor bugfix: Graphical bug for IT-Schwachstellenampel regarding URLs (#46969).

      • Minor Bugfix for status info of OpenVAS Scanner: It was wrongly displayed that the scanner is offline (#47280).

    • GOS-Admin:

      • Extended SNMP monitoring parameters and MIB: The MIB for the Greenbone Security Managers as well as the newly supported standard properties are now documented at the Greenbone website about SNMP (#44239, #29960, #2013052810000039).

      • Internal improvement for self-check after an upgrade to identify incomplete upgrades (#47579).

      • Internal improvement of management of OSP Ovaldi: Certificate update via GOS-Admin-Menu (#47219).

      • Minor bugfix of NTP configuration to avoid error messages in the log (#46726, #2015021110000027).

      • Minor bugfix for CLI Admin: For some unneeded commands (for example nosystemupgrade) there was still an alias entry. These were removed now. (#47264).

      • For GSM ONE the menu "Advanced Management" is now back in GOS-Admin-menu (#47724).

      • Improved Boot-Check log (#43682).

      • Minor bugfix for a problem that produced many log entries (parse_ctime) (#46815).

    • Scanner:

      • Internal improvement: For NVTs of the OpenVAS Scanner it is not mandatory anymore to deliver a CVSS Base if they already offer a CVSS Base Vector (#41456).

      • Improvement of authenticated scans for target systems with specific SSH services and key types (#47304, #47278, #29613).

      • OSP-ovaldi now also delivers its own CPE as a host detail (#45909).

      • New Parameter "debug_mode" for all OSP scanners (#45906).

  • 3.1.9 (2015-03-13):

    • Bugfix for internal GOS upgrade handling (#47513).

  • 3.1.8 (2015-03-05):

    • Bugfix regarding TLS certificates of the pre-configured scanner. Under certain conditions it could happen that no scans are executed anymore and a manual update of the certificates was necessary. This has now been automated (#47279).

  • 3.1.7 (2015-03-03):

    • Quality of Detection (QoD): This concept for the reliability of successful detections of vulnerabilities now arrived also in the web interface. New NVTs were already equipped with specific QoD values (between 0% and 100%) for some time. The QoD is now visible for NVTs as well as for the scan results. Of course, it is now possible to use the QoD to filter. The defaults are chosen to match the previous behaviour. This means, the same number of results are filtered which corresponds to a QoD of 70%.
      With this new feature, the parameter "paranoid" in the scan configurations is dropped, because now even those tests with a low reliability are always executed. The results are present in the database and can be reviewed if needed. A separate scan for detecting so-called "potential vulnerabilities" is not necessary anymore. (#46396, #38193, #46118).

    • Extension of the permissions dialog for tasks: When granting permissions to a task, now the same permission is automatically granted for the depending objects like schedules or alerts. (#39459, #2014072210000017).

    • Reduction of DNS Reverse Lookups of the GSM for NTP servers (#46965, #2015012110000037).

    • Bugfix for executing scans via slaves: Now the configured port list is applied and not just the default port list (#46632).

    • Bugfix for the use of SSH keys for SSH credentials (#46474).

    • Bugfix for the Restore function of the user-data backup on GSM 100 when migrating to GOS 3.1 (#46813, 46835, 46241, 46515).

    • Bugfix for drop-down dialog elements for timestamp in task wizards (#46125).

    • Bugfix for scan progress bar: The progress is now reflected more adequately (#18591, #46694, #2015020210000053).

    • New functions via via gos-admin-menu (section "Advanced") to manage the database (vacuum, analyze) (#41097, #43688).

    • Bugfix for sensor upgrades, specifically for airgap (#46836).

    • Bugfix for individual timeout configuration of NVTs when executed via a slave system (#44857, #2014121110000019).

    • Bugfix for missing transfer of ESXi credentials to slave systems (#46691).

    • Creating web users with the same name is not allowed anymore (#46214).

    • Alterable tasks: If all reports are removed, the task does not anymore automatically turn into a regular tasks. It rather remains to be a alterable task (#42226, #2014101310000028).

    • Extension for creating a new task: It is now possible to assign a schedule and configure to execute the schedule only once. After this schedule is executed, it will automatically be removed from the task (#46184, #2015012610000028).

    • Tasks with schedules that define only a single execution: After the scan was started, the schedule object is removed from the task object because it won't be ever executed anymore anyway. This means that now any task in the task overview that has a schedule symbol will definitely be executed in the future at least once. (#45943, #46185, #2015012610000046).

    • Extension of the selfcheck in gos-admin-menu to check availability of internal OMP service (#46397).

    • Update of an external link inside the Online Help system (#46390, #2015013010000047).

    • Update of the SSH library of the OpenVAS Scanner so that authenticated scans work even with newest SSH servers (#46542).

    • Bugfix for sorting the numerical column "IPs" of targets (#39267, #2014071710000018).

    • Bugfix for Superadmin: Icons for cloning are not greyed anymore (#45888).

    • Bugfix for Superadmin: Access to notes and overrides is now possible (#45889).

    • Bugfix for auto-credentials (#45729, #45730).

    • Improved WMI RSOP support for the OpenVAS Scanner (#40407).

  • 3.1.6 (2015-01-26):

    • Last release of Beta phase. First release of 3.1.

2013-06-07: Greenbone OS 2.2.0


Latest patch level: 2.2.0-37 (2015-07-01)

The items marked with (*) will change the default behaviour.

  • Tasks: Now with new object management

    Tasks are now handled via the new object management and therefore gain access to the power filter and to the functionalities Clone and Export.

  • Overrides: Now with new object management

    Overrides are now handled via the new object management and therefore gain access to the power filter and to the trashcan. Functionalities Clone and Export are also added.

    Furthermore Overrides can now be directly created even without necessity to go via a Task.

    All user interfaces where lists of Overrides were shown, like for NVT Details, were changed so that the lists are replaced by a link into the Overrides management with a appropriate context filter.

  • SecInfo Management: CVE data with new object management

    The CVE Lookup is replaced by the new object management. This makes interactive search, the Powerfilter and many other functions available for CVE data. The Greenbone SecInfo CVE database contains the official CVE database of MITRE with over 50,000 CVEs.

  • SecInfo Management: OVAL database

    New element of the SecInfo Management are the OVAL data. OVAL stands for Open Vulnerability Assessment Language and is a formal description for vulnerability evaluation. These information help with the analysis and are cross-referenced via CVE. The Greenbone SecInfo OVAL database contains the official OVAL Repository of MITRE with over 14,000 OVAL Definitions.

  • SecInfo Management: DFN-CERT Database

    A new class in the SecInfo Management are the security alerts issued by the German DFN-CERT, the CERT of the German research network. These security alerts are published in German language and are referenced into scan result via CVE identifiers.

  • Port Lists: Now with new object management

    Port Lists are now handled via the new object management and therefore gain access to the power filter and to the functionality Clone.

  • Credentials: Now with new object management

    Credentials are now handled via the new object management and therefore gain access to the power filter and to the functionalities Clone and Export. Passwords will of course not be present in exported data.

  • Schedules: Now with new object management

    Schedules are now handled via the new object management and therefore gain access to the power filter and to the functionalities Clone and Export.

  • Scan Configs: Now with new object management

    Scan Configs are now handled via the new object management and therefore gain access to the power filter and to the functionality Clone.

  • Alerts: Now with new object management

    Alerts are now handled via the new object management and therefore gain access to the power filter and to the functionalities Clone and Export.

  • Report Formats: Now with new object management

    Report Formats are now handled via the new object management and therefore gain access to the power filter and to the functionalities Clone and Export.

  • Slaves: Now with new object management

    Slaves are now handled via the new object management and therefore gain access to the power filter and to the functionalities Clone and Export.

  • Powerfilter: Syntax extension to select backward from current date for a fixed time span in timestamp columns. For example, "modified>-7d" will select all objects modified in the past 7 days.

  • Powerfilter: Syntax extension to select exact matches in multiple fields. For example, "=" will select all objects where any of the fields contains exactly this IP.

  • SCAP Feed-Update: This function is now also available via the Web-Interface in the Administration area. However, the updates are still done automatically in the background. A manual start is rarely needed in special situations.

  • Personal default powerfilters: In "My Settings" it is now possible to set a preferred Powerfilter for each object class. If you open the overview of the object class, for example the Task overview, automatically your personal default Powerfilter will be used to apply your preferred sorting and filtering.

  • Agents: Now with new object management


Patch level GOS 2.2.0:

  • 2.2.0-37 (2015-07-01): Released direct upgrade long jump to GOS 3.1 (#48897).
    Bugfix for direct migration long jump to GOS 3.1. (#49674).

  • 2.2.0-36 (2015-02-11): Bugfix about the NVT selection when using older, imported scan configurations where not always all NVTs were actually executed when scanning (#44536, #2014120310000016).
    Bugfix for individual timeout configuration of NVTs when executed on a slave system (#46298, #2014121110000019).
    Solution type information is now displayed in the NVT details dialog if provided by NVTs (#44470).
    Support for resuming slave scans has been improved (#37860).
    Improved error message for alerts that failed to execute due to missing report plugins (#38801, #2014070210000037).

  • 2.2.0-35 (2014-12-05): Bugfix for a rare error where the description of a NVT was truncated (#38502).
    Bugfix so that now the Powerfilter for NVTs includes the script tags (#43911).
    Internal improvement to prevent wrong usage of feed synchronisation in the expert mode of GSM administration (#35125).
    Bugfix for the problem that under some specific, non-reproducible conditions some NVTs where not executed for a given target (#43910).

  • 2.2.0-34 (2014-11-29): Urgent security-relevant bugfix about a attack vector for SQL injections. The attacker needs a user account for the GSM. (#44317, GBSA-2014-02).

  • 2.2.0-33 (2014-10-24): SSLv3 was removed from the list of available encryption protocols for the web interface as well as for OMP. Outdated client tools might not be able anymore to establish a connection (#42518, #42519).
    Bugfix to remove internal temporary backup file while doing a user data backup (#39334).
    Bugfix about missing Alert entries for Task creation in case a individual powerfilter was configured (#39333).
    In CVSS vectors "AU" is now accepted for "Au" (#40066).
    Minor bugfix to enable the internal log rotate for a log file (#37484).
    Changed pre-configured MTA to mail.example.com to avoid confusion (#42528).
    Bugfix that prevents the internal GOS cron processes trying to send local emails about log data to "postmaster" (#42529).

  • 2.2.0-32 (2014-09-26): Security update for third party tools used by Greenbone OS. This includes fixes for the vulnerabilities described in CVE-2014-6271 (Shellshock), CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187 in GNU Bash (#41574).

  • 2.2.0-31 (2014-07-19): Bugfix that fixes the problem with multiple entries in the Host Access entry of a user configuration. Now all elements are accepted (#38736, #2014031910000031).
    Bugfix that solves a UTF-8 problem for Overrides and Trashcan. Under certain conditions it happened that the object lists where not accessible (#38709, #2014061010000032).
    Allow scheduled tasks to be also startable manually (#38516, #2013040610000028).
    Bugfix regarding timestamps of scan start: For stopped and later resumed scan tasks, the start time now remains to be the time of the initial start (#32949, #2013110410000027).
    Availability for upgrade to GOS 3.0 for GSM 6400/5300/5x0/25/25V. Please pay attention to the newsletter about this major upgrade or contact the Greenbone Support (#38990).

  • 2.2.0-30 (2014-05-24): Bugfix for the SCAP database to not ignore some specific CVEs in queries (#37235).
    Bugfix for GSM25V to allow Beta-upgrade to GOS 3.0 (#37599).
    Bugfix for internal offline-update of SCAP database (#37880).
    Bugfix regarding VM guest tools forr GSM 25V (#37565).
    Release GSM 100 for GOS 3.0 (#37563).
    Fixed typo in gos-admin-menu in a path note ("2.1" vs. "2.2") (#37562).
    Bugfix for non-self-signed SSL certificates to allow also longer certificate chains (37862#).
    Added warning note about remaining free disk space when starting upgrade to GOS 3.0 (#37654).

  • 2.2.0-29 (2014-05-10): Extension of sensor checks of master GSMs to validate SSL certificates of the sensors (#37339).
    Removal of unneeded elements of the boot process, thus also lowering volume of log messages (#37242).
    Bugfixes and improvements for the automatic sensor upgrade via sensor master for the upgrade from GOS 2.2.0 to 3.0 (#37239).
    Removal of unneeded files (hypervisor guest tools) for GSM ONE (#35931).
    Release for migration to GOS 3.0 for GSM ONE. (#37195).
    Bugfix that ensures to keep the setting "Apply Overrides" also after editing a task (#36136, #2014032010000028 ).

  • 2.2.0-28 (2014-04-12): Extended capabilities of the scanner for testing special TLS services (#36302, #36167).
    Bugfix that now allows to enter AD accounts for authenticated proxies in gos-admin-menu (#36425, #2014040110000026).
    Bugfix that fixes the visibility of tasks of deleted users (#33831, #2013121310000026).
    Bugfix that makes the scanner fix defect cache on its own (#35258).
    Improvement that helps to take care if maintenance reboots are necessary (#36373).
    Bugfix to solve the problem that under some certain conditions the cloning of a task create an empty container (#34636).
    Bugfix to remove some possibly left-over cache files (#36594).
    Bugfix to reduce the internal use of NTP (#35777).
    Slight speed-up of boot time for large databases (#36478).

  • 2.2.0-27 (2014-03-18): Bugfix for upgrade routine to GOS 3.0 (#35915).

  • 2.2.0-26 (2014-03-15): Due to much stricter SSL certificate checks in GOS 3.0 even for certificates only used internally, the validity is now checked prior to a release switch and you may get asked to update a certificate (#35353).
    Added for support and debug purposes: Internal logging of root commands (#31144, #35378).
    Released GOS 3.0 BETA-Tests for GSM 100 (#35915).

  • 2.2.0-25 (2014-02-14): Bugfix to re-enable the opportunity to create a new target. With the changes introduced in patch level 24 regarding UDP ports a regression occurred that is now solved. (#35257).

  • 2.2.0-24 (2014-02-12): Improved pre-installed Report Format Plugins to consider subsections of NVTs as recently introduced via Greenbone Security Feed (explicit sections for impact, insight, etc.) (#34232).
    Bugfix for scans where UDP ports are scanned while the respective TCP ports were not in the covered by the same Port List. This could have led to false negatives for some NVTs. The pre-configured port lists were not affected (#32366).
    In simple PDF Report Format Plugin, column "Most Severe Result(s)" was removed from the table as it was redundant and sometimes caused exceeding of the page width (#34788, #2014012710000019).
    Task details view now automatically considers the overrides switch (#35054, #2014020610000048).
    Tiny typo in GOS-Admin-Menu (mailhub) (#33890).
    Removed wrongly issued warning message when setting a sensor in GOS-Admin-CLI (#31062, #2013080210000046).
    Added internal lint package for NVTs to accelerate internal NVT QA process (#34111).
    Task status "Delete Requested" for email alerts is removed from web interface as it is of no practical value there (#34233).
    The password in the proxy credentials dialog of GOS-Admin-Menu is not printed on the screen anymore when entered in the dialog (#32707).
    Removed RC4 ciphers from offered ciphers of the HTTPS service of GSM (#34746).
    Internal improvements to prepare migration to GOS 3.0 (#34720, #34658, #35055).

  • 2.2.0-23 (2013-12-21): Bugfix to consider proxy settings during selfcheck in gos-admin-menu (#25028).

  • 2.2.0-22 (2013-12-19): Bugfix to deactivate menu item "Copy Userdata to USB" in gos-admin-menu while a backup is already in progress. (#30978, #2013080210000019).
    Added internal support of GSM sub-types (#32942).
    Bugfix to consider also CERT Feed via feed sync settings of gos-admin-menu (#32943).
    Improvement of performance of sensor synchronisation (#32944).
    Dropped static DHCP client-identifier which avoids trouble of multiple GSM handled by the same DHCP servers (#22577).
    Bugfix to avoid empty CVSS base values for some NVTs (#33365).
    Dropped internal fe80::dead:beef address to avoid log noise (#30977).
    Bugfix to transfer also ESXi credentials to slaves (#33455, #2013120210000056).
    Improved verinice connector regarding document uploads to verinice.PRO (#31798).
    Bugfix for graph "CVSS Distribution for Vulnerabilities" in GXR/GSR report formats that showed a wrong value for "High" in certain cases (#33371, #2013112710000038).

  • 2.2.0-21 (2013-11-09): Bugfix: A security problem is fixed in the OAP protocol that allowed to bypass the authentication procedure. However, due to the Greenbone OS security architecture, the privileges required to exploit this issue on any GSM would require higher privileges than gained through the exploit. Though no practical security problem arises, it is fixed for convenience (#32989).

  • 2.2.0-20 (2013-11-09): Security bugfix: A security problem is fixed in the OMP protocol that allowed to bypass the OMP authentication procedure. The attack vector is remotely available in case public OMP is enabled. In case of successful attack, the attacker gains partial rights to execute OMP commands. The bypass authentication is, however, incomplete and several OMP commands will fail to execute properly (#32985, GBSA-2013-01).

  • 2.2.0-19 (2013-10-29): Add timezone entry in dialog "New Schedule" (#30981, 2013040810000061).
    Improve error handling for situations where single internal services are taken down. This reduces system load if such cases happen (#31966).
    Internal improvements to prepare direct upgrade opportunity from GOS 2.0 to GOS 2.2 (#32221).
    Improved consistency of the overrides setting (#32222, #31567, 2013100210000087, 2013090510000021).
    Strip last part of subnet IP in built-in NBE Report Format Plugin for compatibility/convenience (#32519).
    Bugfix to allow GSM 5x0 to store the public master key of another master GSM (#32816, 2013102410000036).
    Enable sensor mode option for GSM 100 and GSM 5x0 for GSM 5300/6400 as Sensor Master (#32860).

  • 2.2.0-18 (2013-10-12): Bugfix to re-enable OMP interface if it was enabled before. The public OMP interface accidentally was shut-down with patch level 17 on some GSM systems. This especially affects scan sensors. However, managed sensors are automatically re-enabled once the master unit is updated to patch level 18. (#32355).

  • 2.2.0-17 (2013-09-28): Extended built-in NBE report format plugin to add cross-references in result texts (#31285, 2013080910000042).
    Bugfix to get authenticated tests using autogenerated PKCS#8 SSH credentials to work (#31486, #2013082910000013).
    Added feature to allow creating notes and overrides directly from the NVT details dialog (#32021, #2013092410000039).
    Bugfix to reduce number of unneeded log messages (#32070).
    Bugfix for cases where it happened that a new-style NVT reported an empty text when detecting the vulnerability. Old results with empty result text will be extended with a standard text. The scan result as such was always correct (#32034, #32071, #2013092510000019).

  • 2.2.0-16 (2013-09-20): Bugfix for upgrade of sensors with outdated Feed. (#31911).

  • 2.2.0-15 (2013-09-18): Bugfix to ensure to have special configurations of OMP service stay active over migration from 2.1 to 2.2 (#31725).
    Bugfix to have the Sensor synchronization consider the release version (#31722).
    Added the "autoslavesync" option to gos-admin-menu under menu "Sensors" for GSMs that are capable of being Sensor Masters (#31723).
    Added "feedsync" and "feedfrommaster" option to gos-admin-menu under menu "Feed Management" (#31797).

  • 2.2.0-14 (2013-08-31): Bugfix to avoid warning messages "cleanup_manage_process" in the log file (#31288).
    Bugfix for a internal error when trying to change the password (#31007).
    Bugfix for re-login problems after changing the password (#31006).
    Added "Restore Userdata Backup" option to gos-admin-menu for GSM 100 (#31359).
    Bugfix to avoid a wrong error log file message on "database backup failed". The backup was created correctly (#31286).
    Improved userdata restore procedure with an immediate database rebuild (#31361).
    Extended selfcheck with warning in case a patch-level update has not yet been applied (#31414).
    Minor corrections of internal system documentation (#31437).
    Bugfix for the tooltip on NVT names in the NVT overview list of SecInfo Management (#31479).
    Reduced internal log level from 128 to 127 to avoid some debug logging in the regular logging (#31481).

  • 2.2.0-13 (2013-08-22): Affects only GSM 500 or beyond and only when used with Scan Sensors that are configured for automatic update via Master-GSM: Some systems were shipped with a pre-generated masterkey for usage with scan sensors. If such a key is found during update to this patch level, it will be deleted and a new one created with suitable identifier. This makes it urgently necessary to update the key manually on each scan sensor via the command "masterkeydownload". Whether a GSM is affected can be checked via the extended self-check of GOS-Admin-Menu (#31081).
    Bugfix for permission problem at restore of a userdata backup (#30903).
    Extended allowed characters in comment fields by round brackets (#30426, #2013062610000022).
    Bugfix to immediately delete single results of a finally removed report. At this occasion the database is searched for other orphaned results and will remove these as well (#30960).
    Bugfix for OMP: If get_overrides is called with details=1, now the threat-element will be included in the response according to API documentation (#30968).
    Log information on execution of OMP commands now contains also the name of the user who executed the command (#30320, #2013062110000022).
    Bugfix for sorting NVTs by CVSS. Now the sorting takes place on numerical basis instead of string basis (#30343).
    The userdata backup now includes the "private" areas of NVT, SCAP and CERT (#31083).
    Autogenerated credential installer: Now, space characters are possible in the name (#31063, #2013080610000057).
    Bugfix for Reports with Overrides: False Positives were included in a report even if "No overrides" was selected. This has been fixed (#31126, #2013080910000033).
    GOS-Admin-Menu will now issue a warning in case the free disk space is low. The test for free disk space is now also part of the Selfcheck (#31143).
    Extension of Selfcheck in GOS-Admin-Menu to check whether scan sensors can automatically be updated (#31148).
    It is now ensured that during a migration from GOS 2.1 to GOS 2.2 there is sufficient entropy for the creation of the credential encryption key. This reduces the migration duration significantly (#30988, #2013080210000037).
    Bugfix for web interface: Special characters in the URL are no ignored. Before it was possible to loose the session token when this happened and a user had to authenticate again (#31164).

  • 2.2.0-12 (2013-07-27): Performance improvement for OMP command "get_nvts" (#30754).
    Extended allowed characters in comment fields by round brackets (#30426, #2013062610000022).
    Bugfix for migration from GOS 2.1 to GOS 2.2 regarding the encryption of credential passwords (#30880).
    Bugfix for GSM 25/100 for the CLI Admin command "show usb" (#30898).

  • 2.2.0-11 (2013-07-17): Bugfix for creation of a new filter with an empty filter directive (#30220).
    Bugfix to display active state of Report Format Plugins correctly for newly imported plugins (#30164).
    Bugfix for creation of overrides (#30252).
    Bugfix fpr OMP calls for special Asset Reports (#30301, #2013061210000012).
    Bugfix for the CVSS Calculator that now can interpret all abbreviations (#30253).
    Bugfix for GOS-Admin-Menu that makes the userdata backup visible again for GSM 100 (#29482).
    Bugfix for the creation of special Notes and Overrides (#30376, #30379, #2013062410000017).
    Bugfix for XML escaping in URL references in NVT meta data (#30389, #2013062510000015).
    Bugfix that removes a wrong error message that could occur during Feed updates. (#30596).
    Bugfix for GOS-Admin-Menu so that for GSM 25V it is allowed to configure 4 network interfaces (#30704).

  • 2.2.0-10 (2013-06-19): Disallow invalid port numbers when editing a Note or Override (#29905).
    Bugfix for auto-credential creation (#30161, #2013061310000074).
    In Results View, extended text search to new-style NVTs with their extended description sections (#30042).
    Bugfix for OMP interface which was not responding (#30119, #30162, #2013061210000012).
    Improved performance of Task Details page (#28828, #2013040310000015).
    Fixed bug for displaying certain DFN-CERT entries. Now the description is displayed also when no CVEs are referenced (#30039).
    Updates of built-in Report Format Plugins GXR and GSR (#29984).
    Improved automatic internal recovery from malformed database situations (#29964).
    Bugfix for internal flash-upgrade mechanism to allow for future upgrades (#30118).

  • 2.2.0-9 (2013-06-07): Last release of Beta phase. First release of 2.2.0.